In the conventional art, network security devices, such as Intrusion Detection Systems (“IDS”), Intrusion Prevention Systems (“IPS”), and firewalls, are used to detect and/or prevent intrusion events from infiltrating a computer network, such as an enterprise intranet. Existing network security solutions can respond to unwanted network traffic, such as viruses and hacker attacks, by altering the transport-layer of the computer network, typically by blocking packets, reconfiguring firewalls, or sending TCP reset signals to terminate or “kill” connections between a source and a destination for network traffic.
For example, a conventional IDS device can “eavesdrop” on or monitor network data traffic without interfering with the content of the network data traffic. In either an inline or out-of-line configuration, the IDS can monitor the network data traffic for an intrusion event. If the IDS detects an intrusion event, the IDS can send an alert to an administrator of the computer network to advise of a potential attack on the computer network. In addition, the IDS can termination or “kill” a TCP connection between the sender of the intrusion event and the intended destination or take defensive actions to reconfigure resources on the computer network.
An IPS is typically positioned “inline” with a computer network to monitor network traffic and to block certain network traffic in response to detecting an intrusion event. While an IDS passively monitors packets as they pass by on the network wire, an IPS typically stops the packets for an inspection before allowing the packets to pass to the intended destination within the computer network. In response to detecting an intrusion event, the IPS can block or “drop” the packet(s) by preventing the packet(s) from reaching the destination. This packet drop capability is often augmented with a “kill” connection feature that terminates the connection between the source and the destination to prevent the occurrence of a successful intrusion event.
Although conventional IDS and IPS devices are effective in detecting intrusion events and preventing unauthorized or inappropriate acts, conventional network security devices have certain performance limitations. For example, the act of blocking packets or terminating connections may accomplish the desired objective of preventing malicious behavior associated with an intrusion event. However, this type of network security response does not result in an efficient use of resources in the typical computing network system featuring a TCP environment.
When packets carried by a TCP transport are dropped by an IPS, the source responsible for the original transmission of such packets will automatically retransmit this network data to attempt delivery again to the intended destination. Valuable network resources and bandwidth are consumed while the victim of the attack, the intended packet destination, waits for a completed delivery of the packets and the original sender attempts a successful resend of the packets. To counter this problem, conventional IPS devices can terminate or “kill” the TCP connection between the source and destination by sending TCP reset signals to both the source and destination computers. This termination of the connection effectively frees the network resources from a resend cycle that would otherwise arise from the block of an intrusion event by an IPS device. Nevertheless, in many cases the source typically responds to the killed connection by creating a new connection in an attempt to send the information to the destination. While the termination of the original connection prevents the completion of a successful attack, the source's responsive act of creating a new connection results in a further inefficient use of network resources.
In addition, termination of a TCP connection by a conventional IPS is likely to prevent the delivery of e-mail messages from an upstream client to the destination, such as a downstream server. Because many viruses are carried by legitimate upstream e-mail systems; the killing of a connection each time a virus is discovered will prevent the successful delivery of all legitimate e-mail (as well as the virus) to the intended destination. Consequently, the termination of a TCP connection is not a selective response that targets only the intrusion event because this action prevents the delivery of all network data traffic from a source to the destination.
Those of skill in the art will recognize that conventional email proxy servers can remove an offending email message and allow other messages to pass to a destination computer in a computer network. A key difference between conventional IDS and IPS solutions and an email proxy server is that these network security systems typically pass packets to the intended destination without alteration while a proxy server alters all communications handled by the system. Another significant difference for these devices is that proxy servers process network data traffic at approximately 1% of the processing speed of conventional network security systems, such as IDS, IPS, and firewall systems.
In view of the forgoing, there is a need in the art for a network security solution that combines the processing advantages of conventional IPS and IDS devices with the defensive capabilities of proxy servers in order to prevent the successful occurrence of intrusion events in a distributed computer network. Particularly, a need exists in the art for altering harmful data traffic at the application layer to prevent intrusion events, while allowing harmless data traffic to pass through unaltered for delivery to the intended destination.